A security firm named Secura has published a white paper of a vulnerability (CVE-2020-1472) affecting Microsoft's Netlogon authentication component. The vulnerability allows unauthorized code execution on the Domain Controller. The name of vulnerability has been determined as "Zerologon" by the company. The reason the vulnerability is named with this name is that the attack is done by adding the "0" character to the Netlogon authentication parameters. The attack is listed under MITER ATT&CK as "Lateral Movement Tactic" and "Exploitation of Remote Services (T1210)".
The vulnerability got 10 full points out of 10 as the criticality level (CVSS score). It has been stated that the vulnerability is caused by a weak cryptographic algorithm used in the authentication process of the Netlogon protocol. The vulnerability allows an attacker with network access to the Domain Controller to control the entire Active Directory service, namely the Domain Controller server.
It is considered that the attack can be preferred frequently by the attackers because the attack occurs very quickly and the only requirement is that the attacker has access to the target network. Microsoft Security Intelligence stated in a post on social media that the attackers started to carry out attacks by taking advantage of this vulnerability.
Since the vulnerability directly affects the Domain Controller, it is predicted that the attackers may distribute malware on the target network or, by infecting ransomware software, encrypt all devices included in the domain and demand ransom in return.
The update on vulnerability has been published by Microsoft.
Security researchers of Secura company have published a Python code (https://github.com/SecuraBV/CVE-2020-1472) as an open-source to test Zerologon vulnerability. However, as the script will change the password of the Domain Controller account if successful, it is recommended not to test it in a live environment.
Apart from the Secura company, it is seen that different Poc codes are being published on GitHub: